Research uncovers IRC bot malware for Android

The Android malware masquerades as the Madden NFL 12 video game
The Android malware masquerades as the Madden NFL 12 video game

The Android malware, which masquerades as the Madden NFL 12 video game, has three embedded modules that perform various malicious activities, explained Arun Sabapathy, a researcher with McAfee Labs, in a blog.

The main component is a dropper that installs a set of other components – rooting exploit, IRC bot, and SMS trojan – onto the compromised Android device.

Malicious files “Header01.png” and “Footer01.png” masquerade as PNG image files, although they are originally ELF files, where the “header01.png” file acts as a rooting exploit, Sabapathy related.

“The purpose of this component is to root the device which will then elevate the device’s privilege. Once the device is rooted, ‘Footer01.png' connects to a remote IRC channel and the final component 'Boarder01.png' acts as trojan which sends SMS messages to premium numbers. The other *.png files in the package are just random image files added to the package to thwart HASH-based detection”, he wrote.

Sabapathy warned that if the user of a compromised Android device receives a message from his or her bank using a two-way authentication code, that message along with the mobile number is sent to the remote attacker, who can use it to compromise bank transactions.

“This alone tells us how serious this attack can be. However, we are not sure, at this point, what purpose they collect and use some of the data for, as we are not sure about what their server side code is and does”, he added.

What’s Hot on Infosecurity Magazine?